Link package | bugs open | bugs closed | Wiki | GitHub | web search
Description A high-level Python Web framework that encourages rapid development and clean design
Version 3.2.2-1 [extra]


Group Affected Fixed Severity Status Ticket
AVG-1924 3.2.1-1 3.2.2-1 Medium Fixed
AVG-1910 3.2-1 3.2.1-1 Low Fixed
AVG-1776 3.1.7-1 3.2-1 Low Fixed
AVG-1593 3.1.6-1 3.1.7-1 Medium Fixed
AVG-1518 3.1.5-1 3.1.6-1 Low Fixed
AVG-1217 3.1-1 3.1.1-1 Medium Fixed FS#67794
AVG-1176 3.0.6-2 3.0.7-1 Medium Fixed
AVG-1111 3.0.3-1 3.0.4-1 Medium Fixed
AVG-1091 3.0.2-1 3.0.3-1 Medium Fixed
AVG-1080 2.2.6-1 2.2.9-1 High Fixed
AVG-1070 2.2.6-2 2.2.9-1 Low Fixed
AVG-1015 2.2.3-1 2.2.4-1 Medium Fixed
AVG-1000 2.2.2-1 2.2.3-1 High Fixed
AVG-969 2.2.1-1 2.2.2-1 Medium Fixed
AVG-881 2.1.5-1 2.1.6-1 Medium Fixed
AVG-839 2.1.4-1 2.1.5-1 Medium Fixed
AVG-773 2.1.1-1 2.1.2-1 Medium Fixed
AVG-743 2.0.7-2 2.0.8-1 Medium Fixed
AVG-649 1.11.10-1 1.11.11-1 Medium Fixed
AVG-624 1.11.8-1 1.11.10-1 Medium Fixed
AVG-233 1.10.3-2 1.11-1 Medium Fixed
AVG-57 1.10.2-1 1.10.3-1 High Fixed
AVG-35 1.9.9-1 1.10.1-1 Medium Fixed
Issue Group Severity Remote Type Description
CVE-2021-32052 AVG-1924 Medium Yes Url request injection
In Django before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application...
CVE-2021-31542 AVG-1910 Low Yes Directory traversal
A security issue has been found in Django before version 3.2.1. MultiPartParser, UploadedFile, and FieldFile allowed directory- traversal via uploaded files...
CVE-2021-28658 AVG-1776 Low Yes Directory traversal
A security issue was discovered in Django before versions 3.1.8, 3.0.14 and 2.2.20. MultiPartParser allowed directory-traversal via uploaded files with...
CVE-2021-23336 AVG-1593 Medium Yes Url request injection
The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable...
CVE-2021-3281 AVG-1518 Low No Directory traversal
In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and...
CVE-2020-24584 AVG-1217 Medium Yes Insufficient validation
An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). The intermediate-level directories...
CVE-2020-24583 AVG-1217 Medium Yes Access restriction bypass
An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). FILE_UPLOAD_DIRECTORY_PERMISSIONS...
CVE-2020-13596 AVG-1176 Medium Yes Cross-site scripting
A possible XSS has been found in Django before 3.0.7, via admin ForeignKeyRawIdWidget. Query parameters for the admin ForeignKeyRawIdWidget were not...
CVE-2020-13254 AVG-1176 Medium Yes Information disclosure
An information disclosure issue has been found in Django before 3.0.7, via malformed memcached keys. In cases where a memcached backend does not perform key...
CVE-2020-9402 AVG-1111 Medium Yes Sql injection
A potential SQL injection has been found in Django before 3.0.4, via tolerance parameter in GIS functions and aggregates on Oracle.
CVE-2020-7471 AVG-1091 Medium Yes Sql injection
django.contrib.postgres.aggregates.StringAgg aggregation function was subject to SQL injection, using a suitably crafted delimiter.
CVE-2019-19844 AVG-1080 High Yes Insufficient validation
Django's password-reset form uses a case-insensitive query to retrieve accounts matching the email address requesting the password reset. Because this...
CVE-2019-19118 AVG-1070 Low Yes Privilege escalation
A privilege escalation issue has been found in Django since 2.1 and before 2.2.8 or 2.1.15, where a user who lacks permission to edit a model should not be...
CVE-2019-14235 AVG-1015 Medium Yes Denial of service
If passed certain inputs, django.utils.encoding.uri_to_iri() could lead to significant memory usage due to excessive recursion when re- percent encoding...
CVE-2019-14234 AVG-1015 Medium Yes Sql injection
Key and index lookups for JSONField and key lookups for HStoreField were subject to SQL injection, using a suitably crafted dictionary, with dictionary...
CVE-2019-14233 AVG-1015 Medium Yes Denial of service
Due to the behavior of the underlying HTMLParser, django.utils.html.strip_tags() would be extremely slow to evaluate certain inputs containing large...
CVE-2019-14232 AVG-1015 Medium Yes Denial of service
If ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methods were passed the ``html=True`` argument, they were extremely slow to evaluate...
CVE-2019-12781 AVG-1000 High Yes Silent downgrade
An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are used, and the proxy connects to Django via...
CVE-2019-12308 AVG-969 Medium Yes Cross-site scripting
The clickable "Current URL" link generated by AdminURLFieldWidget displayed the provided value without validating it as a safe URL. Thus, an unvalidated...
CVE-2019-11358 AVG-969 Medium Yes Cross-site scripting
jQuery before 3.4.0, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable...
CVE-2019-6975 AVG-881 Medium Yes Denial of service
Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows uncontrolled memory consumption via a malicious attacker- supplied value to...
CVE-2019-3498 AVG-839 Medium Yes Content spoofing
A content spoofing issue has been found in django before 2.1.5 and 1.11.18, where an attacker could craft a malicious URL that could make spoofed content...
CVE-2018-16984 AVG-773 Medium Yes Information disclosure
If an admin user has the change permission to the user model, only part of the password hash is displayed in the change form. Admin users with the view (but...
CVE-2018-14574 AVG-743 Medium Yes Open redirect
If the django.middleware.common.CommonMiddleware and the APPEND_SLASH setting are both enabled, and if the project has a URL pattern that accepts any path...
CVE-2018-7537 AVG-649 Medium Yes Denial of service
If django.utils.text.Truncator’s chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to...
CVE-2018-7536 AVG-649 Medium Yes Denial of service
The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular...
CVE-2018-6188 AVG-624 Medium Yes Information disclosure
A regression in Django 1.11.8 and 1.11.9 before 1.11.10 and 2.0 before 2.0.2 made AuthenticationForm run its confirm_login_allowed() method even if an...
CVE-2017-7234 AVG-233 Medium Yes Open redirect
A maliciously crafted URL to a Django site using the serve() view could redirect to any other domain. The view no longer does any redirects as they don’t...
CVE-2017-7233 AVG-233 Medium Yes Cross-site scripting
Django relies on user input in some cases (e.g. django.contrib.auth.views.login() and i18n) to redirect the user to an “on success” URL. The security check...
CVE-2016-9014 AVG-57 High Yes Access restriction bypass
Older versions of Django don't validate the Host header against settings.ALLOWED_HOSTS when settings.DEBUG=True. This makes them vulnerable to a DNS...
CVE-2016-9013 AVG-57 High Yes Authentication bypass
When running tests with an Oracle database, Django creates a temporary database user. In older versions, if a password isn't manually specified in the...
CVE-2016-7401 AVG-35 Medium Yes Cross-site request forgery
Sergey Bobrov found a vulnerability where an interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary...


Date Advisory Group Severity Type
20 Feb 2021 ASA-202102-28 AVG-1593 Medium url request injection
07 Feb 2021 ASA-202102-18 AVG-1518 Low directory traversal
03 Sep 2020 ASA-202009-4 AVG-1217 Medium multiple issues
06 Jun 2020 ASA-202006-8 AVG-1176 Medium multiple issues
08 Mar 2020 ASA-202003-5 AVG-1111 Medium sql injection
03 Feb 2020 ASA-202002-1 AVG-1091 Medium sql injection
05 Aug 2019 ASA-201908-2 AVG-1015 Medium multiple issues
06 Jul 2019 ASA-201907-2 AVG-1000 High silent downgrade
04 Jun 2019 ASA-201906-2 AVG-969 Medium cross-site scripting
12 Feb 2019 ASA-201902-14 AVG-881 Medium denial of service
11 Jan 2019 ASA-201901-6 AVG-839 Medium content spoofing
01 Oct 2018 ASA-201810-5 AVG-773 Medium information disclosure
01 Aug 2018 ASA-201808-1 AVG-743 Medium open redirect
06 Mar 2018 ASA-201803-5 AVG-649 Medium denial of service
06 Apr 2017 ASA-201704-2 AVG-233 Medium multiple issues
16 Nov 2016 ASA-201611-15 AVG-57 High multiple issues
21 Oct 2016 ASA-201610-13 AVG-35 Medium cross-site request forgery